Related

Question

How to verify droplet's SSH public key fingerprint?

Before SSHing to a droplet for the first time, is there a way to verify the public key fingerprint? This question was asked last year, but there wasn’t any good way to do this back then. Any updates?

As the previous asker suggested, “Ideally it would be part of the response body when a new droplet is created or have its own API call”. The fingerprint could also be displayed in the web interface for each droplet.

I found another solution for this: when creating the droplet, enable “User data” and put in a script which installs a web server and publishes the server’s SSH key fingerprint. You can verify the key hasn’t been modified in transit using an HMAC with a shared secret. Here’s an example script:

Currently the only way to do this would be to log in through the web console and check it there before accepting it over SSH. I suppose no matter how you spin it, you’re accepting something remote as truth, so I don’t know the most flawless answer. It is an interesting thought experiment, I fear it will plague my mind for the remainder of the evening.

Hi, thanks for your reply. The problem is that you can’t log in through the web console if you add your SSH key when creating the droplet.

If the droplet’s SSH fingerprint was displayed in the web interface, then the only thing you’d need to trust would be the website (there’s no way around that, after all, but that’s what the EV certificate is for). In the current situation, you also need to (blindly) trust every new key you receive when logging in through SSH. This really should be addressed, it’s an important security issue.

Thank you for pushing for this @orric. I’m experiencing this right now and it’s a huge hassle… this should be absolutely trivial and as you suggest shown to the user during the droplet creation process!

I also found that the fingerprints are shown in the web console right after the VM is created (with Debian 9, at least). You can see them without having to log in. The problem is that, as you said, the console is a canvas element, so you can’t copy text from it.

If anyone knows a way to copy text from the web console, please leave a comment.